From bdd019376f61a3625218531b7aa81fcb6cd6b068 Mon Sep 17 00:00:00 2001
From: yuriyryabikov <22548029+kurok@users.noreply.github.com>
Date: Wed, 27 May 2026 08:58:41 +0100
Subject: [PATCH] ci: add build provenance attestation for dist/index.js

Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
---
 .github/workflows/package.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 3b403ba3..3f2944e7 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -9,6 +9,10 @@ jobs:
   package:
     name: Package distribution files
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -20,6 +24,10 @@ jobs:
         run: npm run lint
       - name: Package
         run: npm run package
+      - name: Attest dist provenance
+        uses: actions/attest-build-provenance@96b4a1ef7235a096b17240c259729fdd70c83d45 # v2
+        with:
+          subject-path: dist/index.js
       - name: Commit
         run: |
           git config --global user.name "GitHub Actions"